A while back I blogged about using WinRM from a command line to remotely control AMT. http://communities.intel.com/community/openportit/vproexpert/blog/2009/12/10/using-amt-remotley-from-a-command-line-with-winrm


In that post I limited the example to Digest and no TLS. Now I'll show how to use AMT with Kerberos and with Server TLS (sTLS). Note that WinRM can not be used to access AMT using Mutual TLS. So, let's start with sTLS. First, we assume that your console machine trusts the CA that signed AMT's certificate. You can check this by opening AMT's web UI. If there are no cert errors, everything is in order. Now, make a couple easy adjustments to the command line example from the previous article as follows:


winrm enumerate http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_HostedService -remote:https://%AMTFQDN%:16993/wsman -u:%AMTUser% -p:%AMTPassword% -a:Digest -encoding:utf-8


The adjustments are as follows:

  1. Use the FQDN instead of the IP. This allows the certificate subject to be validated against AMT's FQDN.

  2. Change the port from 16992 to 16993. AMT listens for TLS connections on 16993.

  3. Add https:// after -remote:. This tells WinRM to use TLS when connecting


For Kerberos you have a couple choices. If you are logged into your console as a Kerberos user who has the proper access to AMT, you can just use your logged in credentials. Otherwise, you can specify the credentials you want to use. Below is a command line for using the logged in credentials. Also, we're using sTLS (my machine was provisioned with MS Config Manager )


winrm enumerate http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_HostedService -remote:https://%AMTFQDN%:16993/wsman -a:Kerberos -encoding:utf-8 -SPNPort


The adjustments:

  1. -a:Kerberos. This tells WinRM to use Kerberos. Note, this could be left off since WinRM uses Kerberos by default.

  2. -SPNPort. Appends the port number to the SPN when authenticating. If that doesn't make sense, don't worry. Just be sure to always add this switch when doing Kerberos with AMT.

  3. remove -u & -p. Since we didn't specify credentials WinRM uses the ones we logged in with.


To specify Kerberos Credentials simply add -u & -p options. Be sure to specify the domain in the username. For example vprodemo/itproadmin.